Episode76

From Paul's Security Weekly
Jump to: navigation, search

Episode Media

mp3

RFIDIOt, Ubuntu Feisty Fawn and Cloning EN 4X05 RFID tags

  • Prerequisites:

First off we will need to install python, and some additional modules. We need Python 2.5, python-serial, python-psyco, python-imaging, python-pycrypt, and python-imaging-tk. If we want to be able to read passports at some point, we will also need to install OpenSSL. My install contained OpenSSL already, so this os more of a note for those looking to use this with a different distro.

Using Aptitude under Ubuntu, we need to perform the following:

sudo aptitude install python2.5 python2.5-dev python-serial python-psyco python-imaging python-pycrypt python-imaging-tk

Once those are installed, we can successfully use RFIDIOt after configuring it.

  • Attaching the reader:

In this example I'm using the ACG RFID reader. As this reader implements the FTDI serial converter, Feisty Fawn already will recognize the device (with issues, so keep reading). On other distros, you may need to load the kernel module manually with:

modprobe ftdi_sio vendor=0x0403 product=0xdd20

Under Feisty Fawn, I encountered some issues with utilizing the USB ACG reader. After careful inspection of dmesg output, I was able to determine that the UB reader was connected properly, and disconnected by another module. The module was brltty, which is used by Feisty Fawn to support braille terminals. In my case, a braille terminal isn't going to do me a lot of good. The best way I have found to resolve this issue, is to remove the braille terminal module support (and X11 braille terminal support) altogether. We can do this with the following command:

sudo aptitude remove brltty brltty-X11

It is important at this step to answer NO to the first question asked by aptitude about package dependency removal! You will note that by trying to remobe brltty-X11, aptitude attempts to remove ubuntu-desktop , which contains the X server! If we still want a GUI, this is a bad idea. If we answer yes to the SECOND question posed by aptitude we will be all set. We'll note that this question omits the removal of ubuntu-desktop.

  • Configuring RFIDIOt

In this example I'm using version 0.1p, although the configuration has been the same for as may revisions back as I have tried it. Forst off, we need to define a reader type, port and speed. We can do this by editing the RFIDIOtconfig.py file (with vi), located in our RFIDIOt directory. In this file, we need to make sure that these settings are true:

  • 1.) In the serial port section, line="/dev/ttyUSB0" is uncommented, and all other directives are commented out.
  • 2.) In the reader type section, readertype= RFIDIOt.refidiot.READER_ACG is uncommented, and all other directives are commented out.
  • 3.) In the speed section, speed= 9600 is uncommented, and all other directives are commented out.

Once these configurations are complete, RFIDIOt is ready for use with our reader.

  • Cloning an EN 4X05 tag:

Adam has made this real easy to do! With our reader attached, in our RFIDIOt directory we will execute:

./unique.py CLONE

Unique will then wait for the source tag to be presented. When the source tag has been successfully read, it will wait for a writable tag to be presented. Don't worry if your source is read multiple times - the reader can tell that it is the same tag, and not writable. When presented with a writable tag that can emulate a unique tag (Q5 or HITAG), it will automaticaly write the source information!

  • Testing the clone:

Adam has also included another great python program for reading multiple successive tags called multiselect. we can execute it from the RFIDIOt directory with:

./multiselect.py

The software will then wait for tags to be presented and will keep reading until removed, where it will continue to wait. We can exit at any time with a CTRL-C. I've also found that this is a great way to pre-test the tags before cloning: I've found that the implantable tags (implanted or not) are finicky reading and writing, and work much better at certain angles and orientations.

Stories for Discussion

Adobe Flash Vulnerabilities Released - [Paul] - Buffer overflows found in Flash that affect Windows, Mac, Linux, and OS X. Yikes! All you have to do is load an SWF and you are pwned. Funny, the other day I was transported to an online pjarmicutical site after investigating comment spam. That would be a good place to put an evil SWF. Time to re-install noscript and tell it to block all Flash.

More Quicktime Vulnerabilities - [Paul] - So if you thought you were safe by disabling and/or patching flash, Quicktime can be just as deadly. Count them, 8 vulnerabilities were recently patched! And wow, don't let me forget to tell you about Mpack...

Sun Java Runtime Environment vulnerability allows remote compromi - [Joe] - "A buffer overflow vulnerability in the image parsing code in the Java Runtime Environment may allow an untrusted applet or application to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet." [Paul] - So you've patched you instance of Flash and Quicktime, now its time to update Java, again and again. Thats right, Sun couldn't get it right the first time and the bug still existed in the patched version. More info here.

Holy Client-Side Vulnerabilities Batman!

Greek Wiretapping - [Larry] - An interesting read on tapping cell phones, what can go wrong in a forensics process, and potential for an inside jobs. Interesting details on how the hack was performed - rootkit for very specialized equipment

PDF SPAM on the rise - [Larry] - Ugh, before it was images, now it is PDFs. We spent all of this time not allowing images to be displayed in mail clients, so now they send us PDFs. Who blocks PDFs? That isn't really practical, and we all know that, even though our users have been taught otherwise, they still open odd attachments form people they don't know.

WinPcap Privilege escalation - [Larry] - Now maybe not that big of a deal, but think about how many good windows tools use WinPcap.

How to beat an Audit - [Larry] - I wouldn't say that this is beating an Audit. I'd say that this is a good set of practices that you should be doing anyway. If they are good, and you are doing them, it isn't really beating anything. we can discuss the 8 suggestions from the article...

Funny Video on Identity Theft - [Paul] - It makes a good point, if my identity is stolen and someone is taking money from my account without my permission, its still theft and my bank should help me.

0-day has 348 Day lifecycle - [Larry] - How do you know? By definition, a 0-day is something not public, that you don't know about. So, how do you measure the unknown?

F-Secure FSCSI-ies stuff up - [Larry] - Wow, this is neat. F-Secure demoed a tool for visually analyzing what malware/viruses do to your system, by comparing a clean state to a post infected state. The tool shows relationships and new items installed, started and modified. It's like the Gibson interface for Malware!

Cyberstalking Potential Employers - [Larry] - Much like google hacking, here are a few other methods to learn about the network of a potential employer before you interview there. Not only that, but it may help you reveal more partners, subsidiaries and other things that you may not know about.

How to Beat a Security Audit - [Paul] - All good stuff that you should be doing all the time, not just when you are going to be audited.

Security blogger pushes "crudware" - [Larry] ...well, not really. He let his blogger account expire, and someone claimed it when it went back to rotation. The new owner forced malware to unsuspecting visitors. Beware url squatters...something similar but different happened to our compatriot Victor Cajiao.

802.1X for non PCs - [Larry] - Oh dear god, thank you! Now no more lower security networks for PDAs, VOIP phones, and all of the other devices without a supplicant. While not available yet, please give these guys a word of encouragement. It looks as though it might be FREE too...

Sun Java Runtime Environment vulnerability allows remote compromi - [Joe] - "A buffer overflow vulnerability in the image parsing code in the Java Runtime Environment may allow an untrusted applet or application to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet."

WabiSabiLabi...CrabiFlabbiDrabbi - [Larry, Paul] - Auction site for 0-day exploits? Discuss.

Other Stories of Interest

YouTube used as a tool to spread malware - [Joe] - This is hilarious- the hacker advertises a Grand Theft Auto mod through a demo video on YouTube. Not only is the video totally lame, but the download link he posts in the video to get the mod is really a trojan

Interesting Anti-Virus Vulnerabilities and Tidbits - [Paul] - Yet more client-side stuff, including some interesting stuff from Micro$oft

Change your Browser User Agent to Googlebot Lets gives you VIP access to some sites - [Joe] - This trick isn't new, but it's still worth mentioning if you haven't thought of it before. Change your browsser's "User Agent" id to that of Googlebot and you might be able to gain exclusive access to restricted areas on sites. And here is a good htaccess file to block tricks like this.

ATM in Pennsylvania Hacked - [Andy] - This ATM was different than the Tranax model that was previously reported to have its manual available via the Internet, but guess what this Triton ATM does too! The thief was able to enter the master password of "123456" and reprogram the ATM to think that instead of dispensing $20 bills it was dispensing $1 bills.

Nokia S60 Web Server - [Andy] - Nokia has released a web server product to run on their series 60 phones, which makes all sorts of content on the phone (contacts, calendars images) accessible over the web. In addition to the information leakage possibilities I think this would make a great malware distribution tool. Need a great way to seed malware or a worm onto the Internet? Use a phone with a pre-paid SIM card to distribute it!